Beruflich Dokumente
Kultur Dokumente
Lecture 1
Types of Forensics
Industrial Actions
Civil Actions
Criminal Actions
Malware Intrusion
- employment guidelines
- business operations; divorce
- using a device to commit a crime; stealing the device
Intrusions
Script Kiddies
Black Hat Hackers
Criminals
The Big Boys - governments; employers; military
Live Forensics
- device is live and attack is current or very recent
- capture live evidence before power down
Disk Forensics
- device is powered down, or attack is over
- want to examine permanent disk or usb storage for traces of the attack
Order of Volatility
1. CPU Registers, CPU Cache
2. Routing Table, Process table, Memory allocation
3. Temporary File Systems, Swap Space
4. Disks
5. Remote logging (such as syslog)
6. Network Topology, Device Hardware
7. Archived data
Forensic Methods
1. Obtain Authority to search
2. Secure and isolate
- locate removable media
- secure mobile devices (Faraday bag)
- collection methods must not alter evidence
3. Record the scene
- document and photograph; store on Read-only media
4. Conduct a systematic search for evidence
- order of volatility
5. Collect and package evidence
- maintain chain of custody > continuity of possession > handlers to testify CoC form logs when, where,
why evidence was transferred. Minimises loss or contamination.
- hash files for digital fingerprint
6. Analyse evidence in a forensic lab work on copy > image file raw or in forensic container
7. Prepare forensic report
8. Submit evidence as an expert witness
- expert opinion to court
Data Integrity
9. Methods challenged
AUTHENTICATION
Identify source of evidence
- Human and digital device
Oral evidence (suspect identifies his laptop)
Circumstantial evidence
Digital evidence (private encryption key - compelling)
REPEATABILITY
Copy + Paste vs Cloning: Cloning copies everything including metadata, etc.
Name and version of all tools used must be documented - second investigator able to follow
Locard's EXCHANGE Principle:
- Contact between two items = an exchange
- Between suspect and victim
- Between investigator and crime scene
- PHYSICAL exchange e.g. fingerprint
- DIGITAL exchange e.g. email
- In a computer intrusion, attacker may leave evidence in disk space, log files and Win Registry
- Act of sending an email may leave traces on the sender's hard disk, complete with time stamps
INTEGRITY
- Confirm evidence has not been altered after collection = hash
- Evidence usually kept as disk files > hash files for digital fingerprints once collected
- Hash copy of evidence > should match originals hash verification hash before analyzation
FORENSIC ACQUISITION
- 3 Methods:
o RAM dump copies content from system memory
o Logical copying of files network systems to removable media
o Physical acquisition of entire system access to volatile data
- 4 Types Physical; Logical; Live; Targeted File
- Prove any alterations are minor
- Work on copy of disk similar disk | image file raw | forensic container
EVIDENCE CHARACTERISICS
Traces =
- CLASS
apply to many cases e.g. copy of Word 2007 found on suspects laptop
- INDIVIDUAL apply to one case e.g. photoshops serial number embedded in every image produced
LEVELS OF CERTAINTY
C0 Evidence contradicts known facts
- Incorrect
C1 Evidence is highly questionable
- Highly uncertain
C2 Only one source of evidence which is not protected against tampering
- Somewhat uncertain
C3 Some tamper protection, some inconsistencies
- Possible
C4 Evidence is tamperproof or there are multiple independent sources of evidence that agree
- Probable
C5 Tamperproof evidence from several independent sources that agree, some minor uncertainties (loss of
data, timing uncertainties)
- Almost certain
C6 Tamperproof evidence with a high statistical probability
- Certain
Forensic Soundness requires technique that preserves evidence
Lecture 2 Reconnaissance
Data Breaches
Stealing login credentials
Backdoors local PC or C&C link
SQL Injection database manipulation
Source of Breach
- External
- Internal
- Business Partner
Principles of Security
Deny by default not ideal
Defence in depth Hierarchy
Complex = Insecure
Least privilege principle need to know accessibility
Security not obscurity IIS vs Apache
Types of Attack
Operating System
- Buffer overflows in faulty code
Man in the Middle
- Dns, dhcp, vpn
Web Applications
- SQL Injection
- XSS (Cross Site Scripting)
Malware
- Virus Writer Apps
Cyber Attacks
Cyber Crime
Hacktivism
Cyber Warfare
Cyber Espionage
HACKING PHASES
Reconnaissance
- Monitoring and gathering general info about the client
Scanning
- Looking for specific network info
- ip addresses, ip ports, software versions
Gaining Access
- Cracking passwords, hijacking sessions
Maintaining Access
- Installing backdoors and root kits
Clearing tracks
- Delete files and cleanout log files
RECONNAISSANCE PHASE
AKA Footprinting
- Forming an understanding of the target/client business
- Physical presence
- Internet presence
Usually passive information gathering
- Internet searching different sources
Can be active (with risk)
- Social engineering
Network Information
o Domain Names
DNS registers
o Address blocks
Used by a target company
o Active IP addresses
Part of scanning, done later
o IP Access Paths
Use of Autonomous System Numbers (ASNs)
Part of BGP routing protocol
Organisation Information
o Employee details
o Company websites
o ABN Register
o Address and phone numbers
o News Articles / Press releases
o Competitive Intel
INTERCEPTING PROXY
PROXY = Man in the Middle
A form of Transparent proxy
Intercepts web traffic between client and server
Allows inspection of Web Sessions
Burp Suite common example
An extension of Inspection is to modify traffic gain access to session
Search Techniques
Google hacking advanced search operators to locate specific strings in text; deleted data in cache
o "#-Frontpage-" inurl:administrators.pwd
o "#-FrontPage-" inurl:(service | authors | administrators | users) ext:pwd
o inurl:"ViewerFrame?Mode=" live cams
Netcraft Reports
Web crawler robots
Google Earth
People media Facebook
Competitive Intel check out a company; bankrupcies
DNS: table of name:ip-number pairs
Copies of often used names cached in local dns server
nslookup tool
- Allows talking to dns server like http for a web page name
- Built into windows and linux (dig)
i. select dns name server to query (or default)
ii. set dns record type desired (default is A)
iii. set web name
iv. send query
>nslookup - server; ip address
>set type=RP
- primary name server; responsible mail addr
>set type=ns
- default server
>set type=A
- name; address
Find processes running java : list dlls | grep java
Lecture 3 Cookies
COOKIE TYPES
i.
Session Cookie
- No expiry date, deleted by browser when session ends
ii.
Persistent Cookies (tracking cookies)
- Expiry date in future
iii.
Secure Cookie
- Sent encrypted using https
iv.
Third Party Cookies (for marketing)
- Set from a different URI domain // InPrivate Filtering to stop
- web page tracking used by Advertisers // provide contents Pay Per Click (PPC) Business Model
Browser Storage:
- IE Folder C:\Users\...\AppData\Roaming\Microsoft\Windows\Cookies
Win +R; Shell:Cookies
Low Folder UAC activated [Control Panel > Action Centre]
Database: Index.dat
Pasco viewer
o Another Index.dat is used to index web browser history files
- Mozilla C:\Users\...\AppData\Roaming\Mozilla
Database: sqlite
sqlite manager add-on
Urchin Tracking Modules
UTMA Visitor Identifier: tracks dates and visits
UTMB 30 Minute session identifier
B/C: indicate session expired
UTMC On exit identifier
UTMV Custom variable cookie
UTMZ Visitor segmentation: tracks the user
Temporary Internet Files
http allows web browsers to cache recently visited webpages.
When viewer revisits page, http checks date on cached page and decides to show cached copy or refresh
page from server.
Caching cuts down web traffic and speeds webpage rendering.
Location chosen by webpage layout engine:
IE : Trident
Firefox : Gecko
Chrome : Blink
Web History
InPrivate Browsing (IE)
Protects against local and web attack
Hides web history data
Recovery
Volatile memory
- System history & Process history
Disk
- Temporary files (incl. cached) & swap files
Local DNS server cache
- dhcp
- ssh | telnet
- switch STP, routing protocols (OSPF), windows AD
- access website, send/receive email, access work connection (VPN)
- as above, back-door
Attack on a Digital Device can be performed in person or over the digital network.
A Network Attack:
Open trapdoor on target device
Contact target device from a remote device
Exchange network packets to:
- Install snooping software
- Then retrieve sensitive information such as passwords
Network Intrusion Detection:
Special Intrusion detection hardware IDS/IPS
Equip firewall with IDS features
Have Network based IDS to examine all network packets
Have Host based IDS to examine local network activity
Record network activity in local log files
Use local Firewall/Virus Scanner
Locating Network Evidence:
Suspects device
Local network
ISP
Remote website
NBE Tools
Best tools run on Linux FreeBSD
TCPDump full content capture
Winpcap Windows version of libpcap
Packets analysed using Wireshark or Snort
online or from packet dump
TCPView session data
Snort provide alert data in addition to the IPS
Processes
o Is a running program launched from an exe
o Every task in a PC runs as a process
o Forensics examine processes to locate evidence
Process Startup
- Task Manager how start, publisher, when written
- Task List (built in Windows)
- PsList (SysInternals)
Memory Process Footprint
Each process has artifacts that identify in in RAM:
- Open file handles
- Recent dlls used
- Memory mappings
- Network connections (sockets)
- Privileges
Windows DLLs
o Dynamic Link Library - piece of code that can be shared by one or more processes
o Stored on disk in windows
o Difficult to spot malware introduced dll
Can also alter existing dll can detect by examining dll hash
o View running dlls Listdlls | Tasklist
Listdlls shows how a process was launched: >listdlls cmd | grep A2 pid
Viewing dll version detail: >listdlls v > process_detail.txt
Viewing with Tasklist: tasklist /m /fi imagename eq cmd.exe
/m = list modules
/fi = filters by name or PID
Services
o Long running processes
o No user interface
o Many services start automatically at boot
o Similar to daemons in linux
o Some used for networking webclient; Remote Procedure Calls (rpc)
o Can be run by Service Host Processes: svchost.exe
o See running services, call service controller sc with query ex(tended) option